13.0.0+3.5.9 (#33)

* rename githubixx.kubernetes-ca to githubixx.kubernetes_ca

* Molecule: rename scenario from kvm to default

* remove support for Ubuntu 18.04 (reached EOL)

* rename molecule/kvm to molecule/default

* README.md: update link / fix typo

* update etcd to v3.5.9

* defaults/main.yml + README.md: better formatting

* templates/etc/systemd/system/etcd.service.j2: better formatting

* defaults/main.yml + README.md: remove trailing spaces

* fix ansible-lint issues

* update README

* add support for Ubuntu 22.04

* molecule/default/molecule.yml: remove provider options / add memory + cpu parameter to VMs

* molecule/default/verify.yml: fix typos

* add molecule/default/host_vars

* templates/etc/systemd/system/etcd.service.j2: add etcd_service_options

* tasks/main.yml: add tasks to setup etcd user and group / setup various etcd directories

* defaults/main.yml: introduce new variables: etcd_service_options, etcd_data_dir_group, etcd_data_dir_user, etcd_data_dir_mode, etcd_bin_dir_group, etcd_bin_dir_user, etcd_download_dir_group, etcd_download_dir_user, etcd_conf_dir_group, etcd_conf_dir_user, etcd_group_system, etcd_group_gid, etcd_group, etcd_user_home, etcd_user_system, etcd_user_shell, etcd_user_uid, etcd_user

* update README

* update CHANGELOG

* README: update Ansible Galaxy kubernetes_ca role URL

CHANGELOG.md

@@ -1,6 +1,21 @@
 Changelog
 ---------
 
+**13.0.0+3.5.9**
+
+**NOTE**: This version contains some potential breaking changes to increase security related settings. So please test thoroughly before upgrading!
+
+- **BREAKING**: Remove support for Ubuntu `18.04` (reached EOL)
+- **BREAKING**: This update introduces quite a few new variables mainly for managing permissions and for security. These variables are: `etcd_service_options`, `etcd_data_dir_group`, `etcd_data_dir_user`, `etcd_data_dir_mode`, `etcd_bin_dir_group`, `etcd_bin_dir_user`, `etcd_download_dir_group`, `etcd_download_dir_user`, `etcd_conf_dir_group`, `etcd_conf_dir_user`, `etcd_group_system`, `etcd_group_gid`, `etcd_group`, `etcd_user_home`, `etcd_user_system`, `etcd_user_shell`, `etcd_user_uid`, `etcd_user`. Please see `defaults/main.yml` what these variables are good for. In general the defaults should be fine. Previously `etcd` was running with `root` account which is not optimal. This was changed so that it runs with user `etcd` by default now as specified in `etcd_user`. The role will take care that all the directories and files will change their owner and group accordingly. In general upgrading should work pretty flawlessly but as said above please test!
+- **BREAKING**: `etcd_service_options` contains options for the `[Service]` section in the systemd `etcd.service` file. Besides a few other settings in also includes security/sandbox related settings and limit the exposure of the system towards the unit's processes.
+- update `etcd` to `v3.5.9`
+- add support for Ubuntu `22.04`
+- Molecule: rename scenario from `kvm` to `default`
+- Molecule: rename `githubixx.kubernetes-ca` to `githubixx.kubernetes_ca`
+- Molecule: remove provider options / add memory + cpu parameter to VMs
+- Molecule: adjust settings + adding host variables to cover different settings
+- fix ansible-lint issues
+
 **12.2.0+3.5.8**
 
 - update `etcd` to `v3.5.8`

README.md

@@ -3,14 +3,15 @@ ansible-role-etcd
 
 This Ansible role is used in [Kubernetes the not so hard way with Ansible - etcd cluster](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-etcd/). But it can be used without a Kubernetes cluster of course.
 
-Installes a etcd cluster. HINT: This playbook does NOT reload or restart the etcd cluster processes after the systemd service file was changed! This is intentional! It would be a very bad idea to restart all etcd processes at the same time. So if the `etcd.service` file has changed restart/reload etcd by hand one node after the other and check log output if the node joined the cluster again afterwards! As a side node: The script will issue a `systemctl daemon-reload` after the etcd service file was changed so that at least systemd is aware of the changed file and you don't take care about that. So a reboot of a etcd node would also active the new configuration.
+Installs a etcd cluster. HINT: This playbook does NOT reload or restart the etcd cluster processes after the systemd service file was changed! This is intentional! It would be a very bad idea to restart all etcd processes at the same time. So if the `etcd.service` file has changed restart/reload etcd by manually one node after the other and check log output if the node joined the cluster again afterwards! Of course this process can be automated too but it's currently not part of this role.
+As a side node: The script will issue a `systemctl daemon-reload` after the etcd service file was changed so that at least systemd is aware of the changed file and you don't take care about that. So a reboot of a etcd node would also active the new configuration.
 
 Upgrading a etcd cluster which was installed by this role is described in [here](https://www.tauceti.blog/posts/kubernetes-the-not-so-hard-way-with-ansible-upgrading-kubernetes/#etcd).
 
 Versions
 --------
 
-I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `11.0.0+3.5.1` means this is release `11.0.0` of this role and it's meant to be used with etcd version `3.5.1` (but should work with newer versions also). If the role itself changes `X.Y.Z` before `+` will increase. If the etcd version changes `X.Y.Z` after `+` will increase. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific etcd release.
+I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `13.0.0+3.5.9` means this is release `13.0.0` of this role and it's meant to be used with etcd version `3.5.9` (but should work with newer versions also). If the role itself changes `X.Y.Z` before `+` will increase. If the etcd version changes `X.Y.Z` after `+` will increase. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific etcd release.
 
 Changelog
 ---------
@@ -20,7 +21,7 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-etcd/blob/master/CH
 Requirements
 ------------
 
-This role requires that you already created some certificates for `etcd` (see [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/) and Ansible role [kubernetes-ca](https://galaxy.ansible.com/githubixx/kubernetes-ca)). The playbook searches the certificates in `etcd_ca_conf_directory` on the host this playbook runs. Of course you can create the certificates on your own (see [Generate self-signed certificates](https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md) - Git repository is archived but information is still valid).
+This role requires that you already created some certificates for `etcd` (see [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/) and Ansible role [kubernetes_ca](https://galaxy.ansible.com/ui/standalone/roles/githubixx/kubernetes_ca/)). The playbook searches the certificates in `etcd_ca_conf_directory` on the host this playbook runs. Of course you can create the certificates on your own (see [Generate self-signed certificates](https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md) - Git repository is archived but information is still valid).
 
 Role Variables
 --------------
@@ -35,37 +36,131 @@ etcd_ca_conf_directory: "{{ '~/etcd-certificates' | expanduser }}"
 
 # etcd Ansible group
 etcd_ansible_group: "k8s_etcd"
+
 # etcd version
-etcd_version: "3.5.8"
+etcd_version: "3.5.9"
+
 # Port where etcd listening for clients
 etcd_client_port: "2379"
+
 # Port where etcd is listening for it's peer's
 etcd_peer_port: "2380"
+
 # Interface to bind etcd ports to
 etcd_interface: "tap0"
+
+# Run etcd daemon as this user.
+#
+# Note 1: If you want to use an "etcd_peer_port" < 1024 you most probably need
+# to run "etcd" as user "root".
+# Note 2: If the user specified in "etcd_user" does not exist then the role
+# will create it. Only if the user already exists the role will not create it
+# but it will adjust it's UID/GID and shell if specified (see settings below).
+# Additionally if "etcd_user" is "root" then this role wont touch the user
+# at all.
+etcd_user: "etcd"
+
+# UID of user specified in "etcd_user". If not specified the next available
+# UID from "/etc/login.defs" will be taken (see "SYS_UID_MAX" setting).
+# etcd_user_uid: "999"
+
+# Shell for specified user in "etcd_user". For increased security keep
+# the default.
+etcd_user_shell: "/bin/false"
+
+# Specifies if the user specified in "etcd_user" will be a system user (default)
+# or not. If "true" the "etcd_user_home" setting will be ignored. In general
+# it makes sense to keep the default as there should be no need to login as
+# the user that runs "etcd".
+etcd_user_system: true
+
+# Home directory of user specified in "etcd_user". Will be ignored if
+# "etcd_user_system" is set to "true". In this case no home directory will
+# be created. Normally not needed.
+# etcd_user_home: "/home/etcd"
+
+# Run etcd daemon as this group
+#
+# Note: If the group specified in "etcd_group" does not exist then the role
+# will create it. Only if the group already exists the role will not create it
+# but will adjust GID if specified in "etcd_group_gid" (see setting below).
+etcd_group: "etcd"
+
+# GID of group specified in "etcd_group". If not specified the next available
+# GID from "/etc/login.defs" will be take (see "SYS_GID_MAX" setting).
+# etcd_group_gid: "999"
+
+# Specifies if the group specified in "etcd_group" will be a system group (default)
+# or not.
+etcd_group_system: true
+
 # Directory for etcd configuration
 etcd_conf_dir: "/etc/etcd"
+
 # Permissions for directory for etcd configuration
-etcd_conf_dir_mode: 0755
+etcd_conf_dir_mode: "0750"
+
+# Owner of directory specified in "etcd_conf_dir"
+etcd_conf_dir_user: "root"
+
+# Group owner of directory specified in "etcd_conf_dir"
+etcd_conf_dir_group: "{{ etcd_group }}"
+
 # Directory to store downloaded etcd archive
 # Should not be deleted to avoid downloading over and over again
 etcd_download_dir: "/opt/etcd"
+
 # Permissions for directory to store downloaded etcd archive
-etcd_download_dir_mode: 0755
+etcd_download_dir_mode: "0755"
+
+# Owner of directory specified in "etcd_download_dir"
+etcd_download_dir_user: "{{ etcd_user }}"
+
+# Group owner of directory specified in "etcd_download_dir"
+etcd_download_dir_group: "{{ etcd_group }}"
+
 # Directory to store etcd binaries
-etcd_bin_dir: "/usr/local/bin"
-# Permissions for irectory to store etcd binaries
+#
 # IMPORTANT: If you use the default value for "etcd_bin_dir" which is
-# "/usr/local/bin" make sure that the permissions are correct as this
-# directory exists on every Linux filesystem and is very important!
-etcd_bin_dir_mode: 0755
+# "/usr/local/bin" then the settings specified in "etcd_bin_dir_mode",
+# "etcd_bin_dir_user" and "etcd_bin_dir_group" are ignored. This is
+# done to prevent that the permissions of "/usr/local/bin" are changed.
+# This directory normally exists already on every Linux installation
+# and should not be changed.
+# So please be careful if you specify a directory like "/usr/bin" or
+# "/bin" as "etcd_bin_dir" as this will change the permissions of
+# these directories and this is something you normally do not want.
+etcd_bin_dir: "/usr/local/bin"
+
+# Permissions for directory to store etcd binaries
+etcd_bin_dir_mode: "0755"
+
+# Owner of directory specified in "etcd_bin_dir"
+etcd_bin_dir_user: "{{ etcd_user }}"
+
+# Group owner of directory specified in "etcd_bin_dir"
+etcd_bin_dir_group: "{{ etcd_group }}"
+
 # etcd data directory (etcd database files so to say)
 etcd_data_dir: "/var/lib/etcd"
+
+# Permissions for directory to store etcd data
+etcd_data_dir_mode: "0700"
+
+# Owner of directory specified in "etcd_data_dir"
+etcd_data_dir_user: "{{ etcd_user }}"
+
+# Group owner of directory specified in "etcd_data_dir"
+etcd_data_dir_group: "{{ etcd_group }}"
+
 # Architecture to download and install
 etcd_architecture: "amd64"
-# Only change this if the architecture you are using is unsupported (for example: arm64)
-# For more information, see this: https://github.com/etcd-io/website/blob/master/content/docs/v3.4/op-guide/supported-platform.md
+
+# Only change this if the architecture you are using is unsupported
+# For more information, see this:
+# https://github.com/etcd-io/website/blob/main/content/en/docs/v3.5/op-guide/supported-platform.md
 etcd_allow_unsupported_archs: false
+
 # By default etcd tarball gets downloaded from official
 # etcd repository. This can be changed to some custom
 # URL if needed. For more information which protocols
@@ -74,11 +169,31 @@ etcd_allow_unsupported_archs: false
 # It's only important to keep the filename naming schema:
 # "etcd-v{{ etcd_version }}-linux-{{ etcd_architecture }}.tar.gz"
 etcd_download_url: "https://github.com/etcd-io/etcd/releases/download/v{{ etcd_version }}/etcd-v{{ etcd_version }}-linux-{{ etcd_architecture }}.tar.gz"
+
 # By default the SHA256SUMS file is used to verify the
 # checksum of the tarball archive. This can also be
 # changed to your needs.
 etcd_download_url_checksum: "sha256:https://github.com/coreos/etcd/releases/download/v{{ etcd_version }}/SHA256SUMS"
 
+# Options for [Service] section. For more information see:
+# https://www.freedesktop.org/software/systemd/man/systemd.service.html#Options
+# The options below "Type=notify" are mostly security/sandbox related settings
+# and limit the exposure of the system towards the unit's processes.
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+etcd_service_options:
+  - User={{ etcd_user }}
+  - Group={{ etcd_group }}
+  - Restart=on-failure
+  - RestartSec=5
+  - Type=notify
+  - ProtectHome=true
+  - PrivateTmp=true
+  - ProtectSystem=full
+  - ProtectKernelModules=true
+  - ProtectKernelTunables=true
+  - ProtectControlGroups=true
+  - CapabilityBoundingSet=~CAP_SYS_PTRACE
+
 etcd_settings:
   "name": "{{ ansible_hostname }}"
   "cert-file": "{{ etcd_conf_dir }}/cert-etcd-server.pem"
@@ -139,24 +254,24 @@ Example Playbook
 Testing
 -------
 
-This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-etcd/tree/master/molecule/kvm).
+This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-etcd/tree/master/molecule/default).
 
 Afterwards Molecule can be executed:
 
 ```bash
-molecule converge -s kvm
+molecule converge
 ```
 
-This will setup a three virtual machines (VM) with Ubuntu 20.04 and installs an `etcd` cluster. A small verification step is also included:
+This will setup a three virtual machines (VM) with Ubuntu 20.04/22.04 and installs an `etcd` cluster. A small verification step is also included:
 
 ```bash
-molecule verify -s kvm
+molecule verify
 ```
 
 To clean up run
 
 ```bash
-molecule destroy -s kvm
+molecule destroy
 ```
 
 License